• ssh login to your CS407
• ipkg -force-depends install bind (provided you have configured optware for your CS407) — link –
• I pretty much followed the instructions for setting up and configuring a primary DNS server, so nothing to add from my side
• reverse DNS lookup of any IP address in the local zone doesn’t work so far (any hint appreciated)

Alternatively a DNSMasq package is available …

• ssh login to your CS407
• ipkg -force-depends install openldap (provided you have configured optware for your CS407) — link –
• cd /opt/etc/openldap/ and edit slapd.conf and add the following lines (take a look at the README to define which schema files are appropriate for your environment) – below listed schema files are made available through the installation process:

include         /opt/etc/openldap/schema/core.schema
include         /opt/etc/openldap/schema/cosine.schema
include         /opt/etc/openldap/schema/inetorgperson.schema
include         /opt/etc/openldap/schema/rfc2307bis.schema
include         /opt/etc/openldap/schema/ppolicy.schema

• then start the ldap daemon with the following command: /opt/libexec/slapd
• I use “Apache Directory Studio” (an Eclipse based LDAP Browser and Directory client) to manage and administer the openldap (you should find the credentials in slapd.conf).
• create your base DN (e.g.: dc=private,dc=lan)
• once a base DN has been created you should find the following lines in slapd.conf:

##################
# BDB database definitions
##################

database        bdb
suffix          “dc=private,dc=lan”
rootdn          “cn=administrator,dc=private,dc=lan”
rootpw          ***********
directory       /opt/var/openldap-data
checkpoint 1024 5
cachesize 10000
# Indices to maintain
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres

• once your base DN definitions are OK, you can continue creating / importing your user / groups definitions (e.g. by creating ldif files)
• if you need to add your own objectclass or attribute definitions, take a look at a schema extension file I created to provide basic Lotus Notes/Domino LDAP attributes (attibute definitions must be defined first):

objectidentifier DominoOC 2.16.840.1.113678.2.2.2.1.1
objectidentifier DominoAT 2.16.840.1.113678.2.2.2.2.1

##
## Attribute Section
##

attributetype ( DominoAT:1 NAME ( ‘MailServer’ )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( DominoAT:2 NAME ( ‘MailFile’ )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( DominoAT:3 NAME ( ‘HTTP-HostName’ )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( DominoAT:4 NAME ( ‘HTTP-Port’ )
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( DominoAT:5 NAME ( ‘notesDN’ )
DESC ‘attribute to uniquely identify a domino user’
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

##
## Objectclass Section
##

objectclass ( DominoOC:1 NAME ( ‘dominoPerson’ ) SUP top AUXILIARY
DESC ‘represents the dominoPerson object class’
MAY ( notesDN $ MailServer $ MailFile ) )

objectclass ( DominoOC:2 NAME ( ‘dominoServer’ ) SUP top STRUCTURAL
DESC ‘represents the dominoServer object class’
MAY  ( cn $ displayName $ description $ HTTP-HostName $ HTTP-Port))

• add the schema extensions using the include command to your slapd.conf
• the installation also adds a script to automatically start the ldap daemon when rebooting your cs407 (/opt/etc/init.d/S58slapd)
• if you need to stop the ldap process: killall slapd

1. download and extract openvpn-2.x.zip
2. copy easy-rsa folder to /opt/etc/openvpn/easy-rsa
3. edit vars in folder /opt/etc/openvpn/easy-rsa
   export KEY_CONFIG=/opt/etc/openvpn/easy-rsa/openssl.cnf
   export KEY_DIR=/opt/etc/openvpn/private.lan/keys
   export KEY_COUNTRY=YOURCOUNTRY
   export KEY_PROVINCE=YOURPROVINCE
   export KEY_CITY=YOURCITY
   export KEY_ORG=”YOURCOMPANY”
   export KEY_EMAIL=”YOUREMAILADDRESS”
4. switch to bash shell: bash-3.2#
5. . vars
6. ./clean-all

As you create certificates, keys, and certificate signing requests, understand that only .key files should be kept confidential.  .crt and .csr files can be sent over insecure channels such as plaintext email.

• Start with building your own Certificate Authority
• ./build-ca

Generating a 1024 bit RSA private key, writing new private key to ‘ca.key’
You are about to be asked to enter information that will be incorporated into your certificate request. This information is retrieved from your vars file
For the Common Name use  e.g. a combination of your server name and MAC address: CS4071101AF2018964

• Create your server key files
• ./build-key-server server

Generating a 1024 bit RSA private key, writing new private key to ’server.key’
Common Name (eg, your name or your server’s hostname) :cs407
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

• Then create your client key files
• ./build-key thinkpad

Generating a 1024 bit RSA private key, writing new private key to ‘thinkpad.key’
Common Name (eg, your name or your server’s hostname) []:thinkpad
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

• Generate Diffie Hellman parameters
• ./build-dh

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

• openvpn –genkey –secret ta.key

In the server configuration file (server.ovpn), add:

tls-auth ta.key 0
max-clients 5 (or any number)

Copy the following files to the CS407 folder /opt/etc/openvpn/config:

1. ca.crt
2. dh1024.pem
3. server.crt
4. server.key
5. server.ovpn
6. ta.key

Copy the following files to your client folder C:\Program Files\OpenVPN\config

1. ca.crt
2. thinkpad.crt
3. thinkpad.key
4. client.ovpn
5. ta.key

In the client configuration file (client.ovpn), add:

tls-auth ta.key 1

Restart openvpn on your CS407 and connect your openvpn client:

cd /opt/etc/init.d
sh S24openvpn

In case you need to revoke access for specific users:

. vars
./revoke-full “clientname”

Setup of your CS407

1. ssh login to your CS407
2. ipkg -force-depends install openvpn (provided you have configured optware for your CS407) — link –
3. mkdir /dev/net
4. mknod /dev/net/tun c 10 200
5. mkdir /lib/modules/2.6.15
6. download tun.ko (this is the kernel 2.6 version; to download you will have to register)
7. cp tun.ko /lib/modules/2.6.15/
8. echo 1 > /proc/sys/net/ipv4/ip_forward

If you want to download the sample server/client configuration files, follow below links:

– server –
– client –

Then:

1. cp -R /volume1/public/config /opt/etc/openvpn/
2. cd /opt/etc/openvpn
3. chown -R root openvpn
4. chgrp -R root openvpn
5. chmod -R 755 openvpn

For autostart:

1. cp /opt/etc/openvpn/config/S24openvpn /opt/etc/init.d/
2. chmod 755 /opt/etc/init.d/S24openvpn

Start your VPN Server:

cd /opt/etc/init.d
sh S24openvpn

Download openvpn client

- to be able to reach other private subnets behind the server (CS407)when connecting through VPN add a route on your local clients (e.g. 192.168.1.111): “route ADD  -p 192.168.11.0 MASK 255.255.255.0 192.168.1.7″

[192.168.11.0 - your VPN network] : [192.168.1.7 - your CS407] : [192.168.1.0 - your local network]

==> next step is to create your own PKI, which you will find here

This is a guide on how to enable the NFS capabilities of the Synology product. This procedure is aimed for users who are experienced with Telnet and the Linux Operating System. Please note that improper manipulation or modification of the Synology server may result in machine malfunction or loss of data.

Please make sure that the Synology product has firmware 2.0.3 – 0518 or above, along with the Telnet service or SSH Service enabled. Both files can be found here.

Instructions for the NFS Server

Telnet into the Synology product and perform the following

Enabling Service

cd /usr/syno/etc/rc.d
mv S83nfsd.sh.sample S83****.sh
reboot (or /usr/syno/etc/rc.d/S83****.sh start)
vi /etc/exports

Note: * needs to be replaced with a number

Exports file

In the exports file, add the following line

e.g.: /volume1/upload 192.168.* (ro,root_squash,no_subtree_check)

Save the export file Check if the file /var/lib/nfs/rmtab does exist, if not, then run the following command:

touch /var/lib/nfs/rmtab

Now perform the following command

cd /
/usr/sbin/exportfs -a

Testing

Look at /var/log/messages to check whether the settings are ok with your Synology product

Instructions for Linux NFS Client

On your NFS client, perform the following to mount the NFS Server share

mount IP.of.Synology.NAS.Server:/volume1/upload /mnt

Note: /volume1/local/share/folder must exist locally, otherwise the mount will fail.

Notes

The NFS Service is disabled after every firmware upgrade.
The NFS mount is not shown in the web interface
Files saved on the Synology server are case-insensitive.

Supported versions:

NFS 2.0

NFS 3.0

MTU Jumbo frames

For some NFS clients (eg. TViX 6500/7000), errors are reported if jumbo frames are enabled. Mounting the NFS is possible: try disabling the jumbo frames setting in the Synology Disk Station Manager

Additional Resources

http://www.synology.com/enu/forum/viewforum.php?f=41

http://www.faqs.org/docs/securing/chap5sec33.html

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/s1-nfs-mount.html

http://www.synology.com/wiki/index.php/Export_Filesystem_as_NFS

http://www.synology.com/wiki/index.php/How_to_enable_NFS_on_the_Synology_Server

1. download bootstrap for cs407 from http://ipkg.nslu2-linux.org/feeds/optware/syno-x07/cross/unstable/
2. sh syno-x07-bootstrap_1.2-3_arm.xsh
3. follow instructions (reboot) and run bootstrap.sh
4. “ipkg install” required libraries: e.g. gdbm, libid3tag, sqlite_3, codec support and  gcc (lib prerequisites are echoed when installing)
5. download latest nightly build from firefly (mt-daapd-svn-1696.tar.gz)
6. compile with gcc and following options: ./configure –enable-sqlite3 –enable-oggvorbis –enable-flac –enable-mdns –prefix=/opt/local/mt-daapd
7. then “make” and make “install”
8. add lib path  to “/root/.profile”: export LD_LIBRARY_PATH=/opt/local/lib
9. for autostart copy “/opt/local/mt-daapd/etc/S99firefly.sh” to “/usr/syno/etc/rc.d/S99firefly.sh”

A good web client is FirePlay – if an iPhone version is needed use CrossFire.

Instead of using the built-in versions of UPNP and MT-DAAPD (which is basically an old version of FireFly performing very badly) of my cs407 I now have TwonkyVision to stream media to my PS3 and a FireFly to stream music when being outside of my local network; this also requires to forward port 3689 in the router.

When using iTunes remotely use Rendezvous proxy or the FirePlay web client.

SSH can either be enabled using the latest firmware and a patch, or using the recent beta firmware which allows you enable and disable SSH from the web-based management interface. However, I was a little concerned about the default settings of SSHD, especially if one were to SSH over the internet and not just a local network. First, SSH protocol 1 is enabled which can be a security risk. Second, root login is permitted (which is understandable since regular users can’t seem to SSH in by default. Unfortunately, there are some caveats to disabling root login via SSH, which I discuss at the end of this post). Here are the steps I took to resolve the above issues (I assume you already have SSH working and can login as root or admin. Also, you should know how to use vi, or at least read this introduction):

1. Create a regular user from the web-based management interface if you have not done so already. Let’s say the username is frank.

2. Login as root via SSH.

3. Execute the following from the command line as root:

mkdir /volume1/users
mkdir /volume1/users/frank
cp /root/.profile /volume1/users/frank
chown -R frank:users /volume1/users/frank
vi /volume1/users/frank/.profile

Change the line that reads “HOME=/root” to “HOME=/volume1/users/frank”, then quit saving changes.

4. Execute the following from the command line as root:

cp -p /etc/passwd /etc/passwd.orig
vi /etc/passwd

Change frank’s home directory (entry before the last “:”)from “/nonexist” to “/volume1/users/frank”
and his shell (entry after the last “:”) from “/sbin/nologin” to “/bin/sh”, then quit saving changes.*

5. Make sure you can login as frank by executing the following from the command line as root:

su – frank
pwd
echo $HOME
exit

6. Execute the following from the command line as root:

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config

Change the line “#Protocol 2,1″ to “Protocol 2″ and the line “#PermitRootLogin yes” to “PermitRootLogin no”, then quit saving changes (notice we removed the “#” from both lines).

You may also want to adjust the “LoginGraceTime” and “MaxAuthTries” settings, just be sure to remove the leading “#” from those lines.

7. Restart SSHD. If you are using the beta firmware you can disable then enable the service using the web-based management interface. If not, you may be able to use the disable SSH patch, then the enable SSH patch which may restart your NAS device (I have not tested this), or you can simply execute the following from the command line as root:

/usr/syno/etc.defaults/rc.d/S95sshd.sh restart

I have not personally tested the above command either, and it may end your SSH session if that is where you execute it from. Alternatively, you could temporarily enable Telnet, login as root to execute the command above, then log out and disable Telnet.

8. Test the changes. If you use “ssh -1 user@host” when connecting to your NAS device, you should get an error that reads something like “Protocol major versions differ: 1 vs. 2″. If you try to SSH in as root, it should prompt you for the password, but give you an error like “Permission denied, please try again.” even if you supply the correct password. Finally, you should be able to login via SSH as your regular user (i.e. frank).

*Please note, that if you change your regular user’s info (like password, etc.) using the web-based management interface, the information in /etc/passwd will revert back to the defaults, which will no longer let you login via SSH using that user. If this happens, don’t panic, you can always SSH in as admin (which should have the same password as root, but not the same privileges). Unfortunately, only root can execute the “su” command, so to allow your regular user to use SSH again you will have to temporarily enable Telnet, login as root, repeat step #4 above, logout and disable Telnet.

Telnet is also the only way to regain root command line access, which is required to edit “/etc/ssh/sshd_config”, should you want to restore root SSH logins at some point. Alternatively, one could install sudo to execute commands as root, but that is beyond the scope of this post.

Hope this helps anyone wanting to secure SSH access. I used information from the following posts to accomplish this:
how to rsync over ssh as an unprivileged user
how restart SSH server